Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include an intrusion system (IS), e.g., an intrusion prevention system (IPS) and/or intrusion detection system (IDS), that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, among others, trying to access the network. To this end, an IS can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. Thus an IS may identify network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others.
In previous approaches, to identify network traffic of interest, data traffic needs to pass through a point of the network where an IS is located. Typically this would be a port on a switch. That is, an IS may be connected to a port on a network device such as a switch, router, etc., so that the IS can identify suspicious network traffic passing through that network device. If an IS is not connected in-line with or on a particular network device, attacks passing through that network device cannot be detected. In previous approaches, to detect such suspicious network traffic, each port of the network would have to have an IS. For large network systems, however, having an IS at each port can be both very expensive to implement and very complex to maintain.